Re: Lintian info message "hardening-no-bindnow" with vanilla debian/rules

To: debian-python@lists.debian.org
Subject: Re: Lintian info message "hardening-no-bindnow" with vanilla debian/rules
From: Gregor Riepl <onitake@gmail.com>
Date: Tue, 30 Aug 2022 19:33:07 +0200
Message-id: <[🔎] 8db57d64-7cf9-f195-38a5-535715f4c89f@gmail.com>
In-reply-to: <Yw3CIBZK8kBBrp/n@d-and-j.net>
References: <Yw3CIBZK8kBBrp/n@d-and-j.net>

I: python3-pyxdameraulevenshtein: hardening-no-bindnow [usr/lib/python3/dist-packages/pyxdameraulevenshtein.cpython-310-x86_64-linux-gnu.so]

and there is nothing about CFLAGS or the like in the setup.py file.
So if having this hardening flag enabled is a good thing, it should
probably be enabled somewhere within the pybuild system, rather than
every individual package with an extension file doing it.


Hardening is generally a good thing, but can break code in subtle ways.

I suppose that's why it was decided that enabling it by default inDebian was deemed too risky.


Enabling it is quite easy, though: Just add

export DEB_BUILD_MAINT_OPTIONS = hardening=+all

near the top of your d/rules file. Some build systems may requireadditional flags, as documented here: https://wiki.debian.org/Hardening

Also, note that hardening-no-bindnow is an Informational message, so notstrictly something that needs to be acted upon:https://lintian.debian.org/tags/hardening-no-bindnow


YMMV.

Reply to:

Follow-Ups:
- Re: Lintian info message "hardening-no-bindnow" with vanilla debian/rules
  - From: Julian Gilbey <julian@d-and-j.net>

References:
- Lintian info message "hardening-no-bindnow" with vanilla debian/rules
  - From: Julian Gilbey <jdg@debian.org>

Prev by Date: Re: PYTHONPATH with cmake build
Next by Date: Re: PYTHONPATH with cmake build
Previous by thread: Lintian info message "hardening-no-bindnow" with vanilla debian/rules
Next by thread: Re: Lintian info message "hardening-no-bindnow" with vanilla debian/rules
Index(es):
- Date
- Thread